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Abstract 



Cn I We advocate a new approach of addressing hidden structure problems and finding efficient 

f'*^. ■ quantum algorithms. We introduce and investigate the Hidden Symmetry Subgroup Problem 

^^ I (HSSP), which is a generalization of the well-studied Hidden Subgroup Problem (HSP). Given 

a group acting on a set and an oracle whose level sets define a partition of the set, the task 
is to recover the subgroup of symmetries of this partition inside the group. The HSSP pro- 
vides a unifying framework that, besides the HSP, encompasses a wide range of algebraic oracle 
problems, including quadratic hidden polynomial problems. While the HSSP can have prov- 
«2j ' ably exponential quantum query complexity, we obtain efficient quantum algorithms for various 

d I interesting cases. To achieve this, we present a general method for reducing the HSSP to the 

HSP, which works efficiently in several cases related to symmetries of polynomials. The HSSP 
therefore connects in a rather surprising way certain hidden polynomial problems with the HSP. 
Using this connection, we obtain the first efficient quantum algorithm for the hidden polynomial 
problem for multivariate quadratic polynomials over fields of constant characteristic. We also 
apply the new methods to polynomial function graph problems and present an efficient quantum 
procedure for constant degree multivariate polynomials over any field. This result improves in 
several ways the currently known algorithms. 

1 Introduction 

The main goal of quantum computing is to identify suitable classes of problems and to find efficient 
quantum algorithms for them that provide a significant speed-up over their classical counterparts. 
The vast majority of such examples consists of group-theoretical problems that can be formulated 



within the framework of the hidden subgroup problem (HSP). This problem can be cast in the 
following terms: We are given a finite group G and a black-box function from G to some finite set. 
The level sets of the function correspond to the right cosets of some subgroup H. We say that / 
hides H and the task is to determine this hidden subgroup. One query of the function counts as 
one step in the computation and an algorithm is efficient if its running time is polynomial in the 
logarithm of the size of the group. While no classical algorithm is known to solve this problem with 
polynomial query complexity, the problem is computationally solvable in quantum polynomial time 
for every abelian group [Ml El ITj . 

Several attempts were made to extend the quantum solution of the abelian HSP. Most of the 
research focused on the HSP in non-abelian groups since these include several algorithmically impor- 
tant problems. For example, it is known that efficient solutions for the dihedral and the symmetric 
group would imply efficient solutions for some lattice problems [22] and for graph isomorphism, re- 
spectively. While some progress has been made in this direction [3l dOl EZl [l3l dH UHl [H] , the HSP 
for the dihedral and symmetric groups remains unsolved. It is already known that the methods for 
solving the abelian case fail for several non-abelian groups [211 I15j . The goal of obtaining efficient 
quantum algorithms for larger classes of non-abelian groups turned out to be rather elusive. 

Another idea for generalizing the problem was proposed by Childs, Schulman and Vazirani [6] 
who considered properties of algebraic sets hidden by black-box functions. One of these problems is 
the hidden polynomial problem (HPP) where the hidden object is a polynomial. To recover it we 
have at our disposal an oracle whose level sets coincide with the level sets of the polynomial. Childs 
et al. [6] showed that the quantum query complexity of this problem is polynomial in the logarithm 
of the field size provided that the degree and the number of variables are held constant, leaving the 
question of the time complexity as an open question. The authors also formulated computationally 
efficient quantum procedures for some related problems, such as the hidden radius and the hidden 
fiat of centers. Nonetheless, to the best of our knowledge, no efficient quantum polynomial time 
algorithm has been proposed for the general HPP, not even for the simplest problem of hidden 
quadratic polynomials in one variable (HQPP). 

In [9], Decker, Draisma and Wocjan defined a related problem that we refer to as the hidden 
polynomial graph problem (HPGP) to distinguish it from the HPP. Here, similarly to the HPP, 
the hidden object is a polynomial, but the oracle is more powerful because it can also be queried 
on the graphs that are defined by the polynomial functions. They obtained a polynomial time 
quantum algorithm that correctly identifies the hidden polynomial when the degree and the number 
of variables are considered to be constant. Their proof applies to all finite fields whose characteristic 
is not in a finite set of exceptional characteristics that depend on the degree of the polynomials. 

In this paper, we advocate a third possible approach to find hidden structures. We consider a 
group G acting on some finite set M, and we suppose that we have at our disposal a black-box 
function whose level sets define a partition of M. The object we would like to recover is the group 
of symmetries of this partition inside G, i.e., the subgroup whose orbits under the action coincide 
with the classes of the partition. We call this problem the hidden symmetry subgroup problem 
(HSSP). It is easy to see that the HSP is a special case of the HSSP when the group acts on itself 
and the action corresponds to the group operation. But, for some actions, the HSSP is provably 
harder than any HSP. We show that Grover's search can be cast as an HSSP, establishing that 
certain cases of the HSSP have exponential quantum query complexity. This is in contrast to the 
HSP that has polynomial quantum query complexity for all groups [llj . 

The potential of the HSSP lies mainly in the possibility of extending the HSP techniques to more 
general group actions that still admit efficient quantum procedures. We demonstrate the power of 
this new approach by designing and improving quantum algorithms for several algebraic problems. 
To achieve this we reduce both the HQPP and the univariate HPGP to appropriate HSSPs for 



which we can give efficient quantum solutions in some interesting cases. Besides the construction 
of efficient algorithms, the formulation of problems as HSSP can also shed new light on their 
structure. For example, the apparent difficulty of the HQPP over prime fields might be explained 
by the equivalence of this problem to the HSP in the dihedral group, a connection discovered via 
their relations to the HSSP. It is also worth to note that the hidden shifted multiplicative character 
problem of van Dam, Hallgren and Ip [8] is a version of the HSSP with an additional promise on 
the input. 

To establish our algorithmic results, we first concentrate on the question of whether the HSSP 
can be reduced in some cases to the related HSP that we obtain by forgetting about the action. 
We design a reduction scheme, which involves the generalization of bases known from the theory 
of permutation groups. We are able to show that when the action has an efficiently computable 
generalized base then the HSSP is indeed efficiently reducible to the related HSP (Proposition [2]). 
Then we describe a probabilistic construction of such bases for a large class of Frobenius groups. 
Therefore, the above reduction applies to these groups (Theorem [1]) . These groups include among 
others a large variety of affine groups and the HSSP is efficiently solvable for these groups by a 
quantum algorithm. We remark that in [20] it is proved that the HSSP (in a slightly different 
formulation) can be solved efficiently for some of these affine groups. The proof uses essentially the 
same reduction technique. 

We then establish several surprising connections between hidden polynomial problems and the 
HSSP. In fact, the HQPP turns out to be equivalent in a very strong sense to the HSSP over a 
related affine group. Combined with the above reduction to the related HSP, we are able to give the 
first ever quantum polynomial time solution for the HQPP over fields of constant characteristic 
(Theorem [2]). We then give a quantum reduction of the multivariate quadratic HPP to the 
HQPP, which implies that over fields of constant characteristic this multivariate problem is also 
solvable in quantum polynomial time (Theorem [3]) . 

Finally, for dealing with the HPGP, we define a class of semidirect product groups which 
we call function graph groups. We show that the HPGP for univariate polynomials of degree 
at most d coincides with the HSSP over a corresponding function graph group. These groups 
turn out to have a base of size d, and therefore our general reduction to the related HSP applies 
(Theorem [4]). Based on this reduction, we improve the results of [9] by showing that there is 
a quantum polynomial time algorithm for the HPGP over every field when the degree of the 
polynomials is constant (Theorem [5]) . 

2 Preliminaries 

We first fix some useful notation: n denotes a positive integer, p a prime number, q a prime power, 
Zn the additive group of integers modulo n, ¥g i 
univariate polynomials of degree at most d over ¥q. 



Z„ the additive group of integers modulo n, Fg the finite field of size q, and ¥q [x] the set of 



2.1 Level sets and problem classes 

Simply speaking, we study the general problem of determining hidden objects related to a given 
algebraic structure. The algebraic structure is specified by parameters of the problem, which are 
finite groups, families of subgroups of a given group, group actions, finite fields, and integers in 
the present case. We assume that we have access to an unknown member of a family of black-box 
functions f : A ^ S, where A is part of the structure and S is some finite set. We consider this 
function / as the oracle input. We are restricted to identifying the hidden object solely from the 
information we obtain by querying the oracle /. In fact, the only useful information we can obtain 



is the structure of the level sets f^^{s) = {a ^ A : f{a) = s}, s € 5", that is, we can only determine 
whether two elements in A are mapped to the same value or not. All non-empty level sets together 
constitute a partition of A which we denote by vrj. 

Definition 1. The hidden subgroup problem HSP is parametrized by a finite group G and a family 
7i of subgroups of G. 

ilSP{G,n) 

Oracle input: A function / from G to some finite set S such that for some subgroup 

H ^Ti, we have f{x) = f{y) -^^ Hx = Hy. 

Output: H. 

The hidden polynomial problem HPP is parametrized by a finite field F^ and two positive integers 
n and d. 

HPP(Fg,n,d). 

Oracle input: A function / from F" to some finite set S such that for some n-variate 

polynomial V of degree d over Fg, we have f{x) = f{y) <^^ V{x) = V{y). 

Output: V. 

For every n G Fg we define a monic quadratic polynomial over F^ by Vu{x) = x^ — lux. The hidden 
quadratic polynomial problem HQPP is parametrized by some finite field ¥q. 

HQPP(F,). 

Oracle input: A function / from ¥q to some finite set S such that we have f{x) = 

f{y)^^Vu{x)=Vu{y). 

Output: Vu- 

The hidden polynomial graph problem HPGP is parametrized by a finite field F^ and two positive 
integers n and d. 

RPGP {¥q,n,d). 

Oracle input: A function / from F" x F^ to a finite set S such that for some n-variate 

polynomial Q of degree d over Fg we have f{xi,yi) = f{x2,y2) -^^ yi — Qixi) = 

2/2 -Q{x2). 

Output: Q. 

In all these problems we say that the input / hides the output of the problem. 

In the definition of the HQPP we restrict our attention to monic polynomials with zero constant 
term because adding a constant to a polynomial or multiplying all coefficients with the same non- 
zero constant do not change the partition ttj. Furthermore, observe that for the HPGP we have a 
more powerful oracle at our disposal than for the HPP, because an HPGP oracle f{x, y) restricted 
to y = is equivalent to an HPP oracle. 

In all these problems the task is to determine the output hidden by the oracle input. We 
measure the time complexity of an algorithm by the overall running time when a query counts as one 
computational step. An algorithm is efficient if its time complexity is polynomial in the logarithm 
of the size of the group or field, and in the size of the integers in unary in the parametrization of 
the problem. 



2.2 Semidirect product groups 

Let K and H be finite groups and let : /i i-^ 0^ be a honioniorphisnis from H to the group of 
automorphisms of K. Then the semidirect product K yi^ H is the cartesian product of K and H 
equipped with the multiphcation defined as (k, h) ■ (k' , h') = {k ■ (j)h{k'), h-h'). We use the notation 
K y\ H for K y<(jj H whenever (p is clear from the context. 

2.3 Group actions and partitions 

A left permutation action of a group G on a set M is a binary function o : G x M — t- M , where 
we denote o((yf, m) hy g om, which for all g,h a G and m & M satisfies g o {ho m) = (gh) o m and 
com = m for the identity element e of G. For a subset L C M we set goL = {gom : m & L}. The 
sta6ifeer subgroup Gm of m is defined as {g € G : gom = m}, it consists of the elements in G which 
fix m. The action o is faithful if HmGA/ ^m ~ i^i- Throughout the paper we assume faithfulness. 
If G acts on M, then every subgroup H of G acts also naturally on M. The H-orbit of m £ M is 
the subset of M where m can be moved to by elements of H, formally Hom = {hom: h£ H}. 

The /7-orbits form a partition H* = {H o m : m £ M} of M. For a partition tt = {vri, . . . , vr^} 
of the set M, we define the subgroup n* = {g £ G : (Vi) gom = ttj}. We call tt* < G the 
group of symmetries of vr within G. This is the subgroup of elements that stabilize every class of 
the partition vr under the given action. Let (5(G), C) be the lattice of subgroups of G under the 
inclusion relation, and let (n(M), <) be the lattice of partitions of M, where by definition vr < vr' 
if tt' is finer than vr. The maps H i— )• H* and vr i— >■ tt* define an order-reversing Galois connection 
between (5(G), C) and (n(M),<), that is F < vr* if and only if vr C H*. The subgroup H** is 
the closure of H [3], it consists of the elements in G which stabilize every i^-orbit. The closure 
of a partition vr is vr**, it consists of the orbits of its group of symmetries. It is always true that 
H C H** . The subgroup H is closed if H = H** , or equivalently, there exists a partition vr such 
that H = IT* . Similarly, vr is closed if vr = vr**. We denote by C{G) the family of all closed subgroups 
inG. 

2.4 The hidden symmetry subgroup problem 

Definition 2. The hidden symmetry subgroup problem HSSP is parametrized by a finite group G, 
a finite set M, an action o : G x M ^ M of G on M, and a family 7i of closed subgroups of G. 

HSSP(G,Af,o,?^). 

Oracle input: A function / from M to some finite set S such that for some subgroup 

H £ H, we have f{x) = f{y) ^=^ H o x = H o y. 

Output: H. 

In general, there can be several subgroups whose orbits coincide with the level sets of /, but the 
closures of these subgroups are the same. The unique closed subgroup that satisfies the promise 
is TT*r, and this is exactly the output of the problem. We will say that / hides H by symmetries. 
In fact, it would be natural to extend HSSP to the more general setting where / is an arbitrary 
function on Af and the task is to determine the (closed) subgroup vr^. The restriction we use in 
this paper is that vr/ is a closed partition with nl £ Ti. We define an algorithm for solving the 
HSSP as efficient if it is polylogarithmic in |G|. 

It is easy to see that the HSP is a special case of the HSSP when we set M = G and choose the 
group action o to be the group operation, that is g o h = gh. For this action every subgroup of G 
is closed, and a function / hides a subgroup H if and only if / hides H by symmetries. 



Given HSSP(G, M, o,7^), by forgetting about the group action we obtain HSP(G,'H). We call 
this problem the related HSP. 

2.5 Related results 

While the HSP is generally hard in non-abelian groups, its query complexity is always small, due 
to a classical result of Ettinger, H0yer and Knill [ITj- 

Fact 1. For every finite G, the HSP(G,C(G)) has polynomial query complexity. 

Among groups where the HSP is solvable in quantum polynomial time, some affine groups will 
be of importance for us. For a subgroup H oi¥* let KQq{H) denote the semidirect product Fg x H, 
and let J-C be the family of conjugates of H by an element of Fg (for a detailed discussion of these 
groups see Section 1^2]) . The following positive results on the solvability of the HSP were obtained 
respectively by Moore et al. [T9] and Friedl et al. |12] . 

Fact 2. The following cases of the HSP can he solved in polynomial time: 

(a) HSP(Affq(i:/'), J^C), where q is a prime and H < ¥* such that 1 < \H\ < q — 1 and \H\ = 

n{q/polj\og{q)). 

(b) HSP(G, C(G)), where G is a finite group such that G' is commutative and every element of G' 

has an order hounded hy a constant. 

The query complexity of the HPP was investigated by Childs, Schulman and Vazirani [6]. They 
showed the following. 

Fact 3. If n > 2 and d are constants, then for an \ — o(l) fraction of the hidden polynomials, 
HPP(Fg,n, d) has poly logarithmic query complexity. 

Here, like in the case of the HQPP, polynomials are determined up to constant terms and 
scalar factors. We are not aware of any results regarding the quantum computational complexity 
even in the univariate quadratic case. For the HPGP, Decker, Draisma and Wocjan [9] showed the 
following. 

Fact 4. (a) HPGP(Fq,n, d) can he reduced in polynomial time to HPGP(Fg, l,(i) for every con- 
stant n. (b) For every d there exists a finite set Ed of primes such that if d is constant and the 
characteristic ofFg is not in E^ then HPGP(Fg, l,d) can he solved in quantum polynomial time. 

3 A general reduction of the HSSP to the HSP 

How much greater is the complexity of an HSSP compared to the complexity of the related HSP? 
To analyze this, we first give a simple example, which shows that the query complexity of the 
HSSP can be exponentially higher than the query complexity of the related HSP. Then, more 
interestingly, we will establish a general condition on the group action under which the HSSP can 
be reduced in polynomial time to the related HSP. 



3.1 HSSP with exponential query complexity 

While the quantum query complexity of the HSP is polylogarithmic in the size of the group, we 
show in this section that the query complexity of an HSSP can be in the order of |G|^''*. More 
precisely, we show that Grover's search problem can be reduced to some specific HSSP. 

For a prime power q, the general affine group Aff^ of invertible affine transformations over Fg 
is defined as the semidirect product F^ xi F*, where F* denotes the multiplicative group of Fg. The 
natural action of Aff^ on Fg is defined as (6, a) o x = ax + h. For every c S Fg, the stabilizer of 
c is the subgroup He = {((1 — a)c^a) : a € F*}, which has two orbits: {c} and {(i S Fg : d / c}. 
Clearly, H^ is a closed subgroup. We set T-L = {He : c € Fg}. 

Proposition 1. The query complexity o/ HSSP(Affg,Fg, Oj'H) is il((7^"). 

Proof. Grover's search over Fg can be trivially reduced to this HSSP. Indeed, if the oracle input 
is /c, defined by fc{x) = 5c,x-, where 5c^x is the Kronecker delta, then /c hides He as symmetry 
subgroup. From any generator (6, a) of H^ one recovers c simply by computing (1 — a)~^h. Hence, 
the query complexity of the HSSP is at least the query complexity Q.{q^''^) of Grover's search [2j . D 

3.2 A reduction scheme of the HSSP to the HSP 

In this section, we describe a rather natural framework for reducing the HSSP to the related HSP. 
Essentially, the same idea was used in ^20j for reducing certain hidden shift problems to the HSP 
in the affine group over prime fields. We assume that we are given a black-box function / over 
M, which hides some subgroup H oi G hy symmetries. With the help of /, we would like to 
construct a suitable function /hsp over G, which hides H. A first approach could be to define 
/hsp(<?) = f{g ° fn)^ where m is a fixed element of M. Unfortunately, this works only in very 
exceptional cases because /hsp takes constant values on the left cosets of the stabilizer Hm of m. 
Therefore, even in the simple case when / hides the trivial subgroup, the function /hsp will not 
work unless the stabilizer of m is trivial. As a straightforward refinement of this idea, we can pick 
several elements mi, . . . ,mt G M, and define 

/hsp(5) = {f{g o mi), ...J{go m*)). 

For the trivial hidden subgroup, this idea works when the common stabilizer of mi, . . . , m^ is trivial, 
that is, when ni=i ^mt = {e}. In the theory of permutation groups such a system of elements is 
called a base [23]. Of course, bases exist only if the action of G is faithful. The following definition 
includes further conditions on mi, . . . , m^ in order to make the above construction work in general. 

Definition 3. Let G be a finite group and let o : G x Af — )• M be an action of G on the finite set 
M. Let H < G he a subgroup of G, and let 'H be a family of subgroups of G. A set B C M is an 
H-strong base if for every g & G, we have 



n 



J^ ^ gom — ^ ' 



meB 

We call B an ?^-strong base when it is //-strong for every subgroup H ^T-L. 

Observe that f^^^j^^j HGm = H** . Hence, M itself is always a C(G)-strong base. If B is an 
//-strong base, then B is also an {x~^Hx)-strong base for every x £ G. Therefore, if Ti consists 
of conjugated subgroups, then B is an ^/-strong base if it is an //-strong base for some H £ H. 
Also, if 7/ is closed under conjugation by elements of G, B is an TZ-strong base if and only if 
n^gB HGm = H for every HgH. 

7 



The following lemma states that the HSSP is indeed reducible to the HSP via an 'H-strong 
base. 

Lemma 1 (Reduction of HSSP to HSP). Let G he a finite group, and let o be an action of G on 
M. Suppose that the function f : G ^- S hides some H £ Ti by symmetries. Let B = {m-i, . . . , mt} 
be an T-i-strong base. Then H is hidden by the function fuspid) = if id ° ^-i); ■ ■ ■ i f{9 ° "T-t))- 

Proof. We will show that for every x,y £ G, we have fnspix) = fnspiu) if and only if y € Hx. To 
see the "only if part, suppose that fuspix) = /Hsp(y)- Then by definition f{x o m) = f{y o m), 
for every m €z B. Therefore, for every m (z B there exists an element h^ S H such that x o m = 
hm°{y°fn)- This equality implies that m = {x~^hmy)om, that is x~^hmy G Gm- Thus y G h^xGm, 
for every m € B, from which we can deduce y € ClmeB HxGm- Now observe that xGmX~^ = Gxom, 
and therefore y € ClmeB HGxomX. Prom this we can conclude y G Hx because B is an 'H-strong 
base. To show the reverse implication, suppose that y = hx for some h G H. This implies 
yom = ho(xom), for all m & B. Since / hides H as symmetry subgroup, we have f{yom) = f(xom), 
again for all m € B, implying fuspiu) = fuspi^) by the definition of /hsp- D 

The following statement is immediate from Lemma [H 

Proposition 2. Let G be a finite group, M a finite set, o a polynomial time computable action of 
G on M, andH. a family of subgroups of G. If there exists an efficiently computable Ti-strong base 
in M, then HSSP((S', M, o,7^) is polynomial time reducible to HSP(G, '?^). 

4 The HSSP for Frobenius complements and the HQPP 

In view of Proposition [2l we are interested in group actions for which there exist easily computable 
(and therefore also small) bases for some interesting families of subgroups. If in addition the related 
HSP is easy to solve then we have efficiently solvable HSSPs. It turns out that Frobenius groups 
under some conditions not only have these properties, but also that the HQPP can be cast as one 
of these HSSPs. 

4.1 Strong bases in Frobenius groups 

A Frobenius group is a transitive permutation group acting on a finite set such that only the 
identity element has more than one fixed point and some non-trivial element fixes a point (see for 
example [S]). Let us recall here some notions and facts about these groups. Let G be a Frobenius 
group with action om on M. The identity element together with the elements of G that have no 
fixed points form a normal subgroup K^ the Frobenius kernel, for which we also have \K\ = \M\. 
A subgroup if of G is a Frobenius complement if it is the stabilizer H^ of some element m € M. 
It is a subgroup complementary to K, that \s K r\H = {1} and G = KH. Hence, the group G is 
a semidirect product K ya H of K and H. We define the binary operation o^- : G x K ^ K hy 

g o^ x = yhxh~^, 
when X £ K and g = yh with y £ K and h £ H. It is a straightforward computation to check that 
Ox is an action of G on X. Furthermore, we can identify the action o^,j with the action oj^ via the 
map (p : M ^ K defined as follows. For any n £ M, there exists gn £ G such that gn oj^/ m = n 
since G is transitive. If gn = y-nhn with yn £ K and /i„ £ H, by definition we set (pin) = y^. Then 
indeed for every g £ G and n £ M, we have g ok (pin) = (j){g om n). From now on we will suppose 
without loss of generality that the action is o^ which we denote for simplicity by o. 

Observe then that with respect to o, the Frobenius complement H is the stabilizer of e, the 
identity element of K. The orbits of H are {e} and some other subsets of K, each consisting 



of \H\ elements. The other Frobenius complements are Hx = xHx^^, for x £ K. They are 
closed subgroups and their orbits form closed partitions. We denote by J-C the set of Frobenius 
complements in G. 

Let H be the Frobenius complement He- Since the Frobenius complements are all conjugates 
of H, being an J-'C-strong base is equivalent to being an //-strong base. 

To characterize //-strong bases it will be convenient to use the following notion. For u,v £ K 
with u ^ V, we say that z £ K separates u and v \i v o z ^ H o {u o z). We have the following 
characterization. 

Lemma 2. Let B C K . Then B is an H -strong base if and only if for all u ^ v in K there exists 
z £ B which separates u and v. 

Proof. To see the "if part of the statement, suppose that g' £ HzgB ^G'goz for some g' ,g £ G. 
We will prove that g' £ H. Let g = yh and g' = y'h', where y,y' £ K and /i, /i' £ H. Then 
for every z £ B, there exists hz £ H such that g' o [g o z) = hz o {g o z). Using the defi- 
nition of o, this equality can be rewritten as y'h'yhzh~^h'~^ = hzyhzh~^h~^ , which is equiva- 
lent to h~^^h'~^y'h'yhz = h~^h'~^hzhh~^yhzh~^h~^h'h. Using again the definition of o, this is 
h^^h'~^y'h'yh o z = h^^h'^^hzh o (^h~^yh o z). Set u = h~^yh and v = h~^h'~^y'h'yh. Then for 
every z £ B, we have v o z £ H o {uo z), that is, no element in B separates u and v. Therefore, by 
the assumption we get u = v, which is equivalent to y' = e. Thus g' = h' is indeed an element of 
H. 

To see the reverse implication, assume that there exist u,v £ K,u ^ v, such that none of the 
elements z £ B separate u and v. This means that for every z £ B there exists an element hz £ H 
such that uoz = hzo[uoz). Using woz = [vu^^)o[uoz), this equality implies fu~^(uoz) = hzo[uoz), 
whence h^^vu^^{u o z) = u o z, that is, h^'^vu^^ £ Guoz- This gives vu~^ £ hzGuoz ^ HGuoz for 
every z £ B, that is, vu~^ £ C\zeB ^Guoz- As vu~^ //, this contradicts the definition of a strong 
base. D 

Our next lemma gives a lower bound on the number of elements in K that separate u and v. 

Lemma 3. Let \H\ ^ \K\ — 1. Then for any two distinct elements u and v of K we have 

\{z £ K : z separates u and v}\ > \K\/2. 

Proof. If z does not separate u and v then there exists an element h £ H such that vz = huzh^^ 
which can also be written as hu^^h^^v = hzh~^ z~^ . We say that such an element h belongs to 
z. The identity element h = e does not belong to any element z £ K since u ^ v. We claim 
that h ^ e cannot belong to two distinct elements of K. Indeed, if hzh^^z^^ = hz' h^^ z'^^ then 
hz'~^zh~^ = z'~^z, which in turn implies that z'~^z = e as e is the only element of K stabilized 
by the elements of H. Therefore, there are at most |//| — 1 elements in K which do not separate 
u and V. In other words, at least |/ir| — |//| + 1 of the elements of K separate u and v. Note that 
H has (|/^| — 1)/|//| orbits of length |//| on the nontrivial elements of K, and thus \H\ divides but 
is not equal to \K\ — 1, which implies |//| < {\K\ — l)/2. From this we can indeed conclude, since 
then |/i:| - l/J] + 1 > |/i:|/2. D 

We have the following result regarding the existence of small strong bases for J^C. 

Proposition 3. Let G be a Frobenius group with kernel K such that the cardinality of the Frobenius 
complements is different from \K\ — 1. Let B (^ K be a uniformly random set of size i, where 
£ = ©(log \K\ log 1/e). Then B is an FC-strong base with probability of at least 1 — e. 



Proof. Let B he a uniformly random subset of K of size i. By Lemma [2] it is sufficient to prove that 
with a probability of at least 1 — e, for every u ^ v, there exists an element in B which separates u 
and V. We will in fact upper bound the probability of the opposite event. For a fixed pair u ^ v,hy 
Lemma[3l the probability that a random z does not separate u and v is at most 1/2. Therefore, the 
probability that none of the elements in B separates u and v is less than 2~^. Thus, the probability 
that for some pair u ^ v none of the elements in B separates u and v is less than (' 2 )2~ , which 
is at most e by the choice of i. D 

If G is a Frobenius group that satisfies the condition of Proposition [3] then we can compute 
efficiently a small base for the Frobenius complements, because there are efficient algorithms for 
random sampling nearly uniformly in black-box groups [T]. Therefore, by Proposition [2] we can 
efficiently reduce the HSSP to the related HSP and we obtain the following result. 

Theorem 1. Let G = K yi H be a Frobenius group with action o such that \H\ < \K\ — 1. Then 
HSSP(G, -R', o, J^C) is reducible in probabilistic polynomial time to HSP(G, J-"C). 

We remark that the reduction of Grover's search to a specific HSSP in Proposition [1] can be 
extended to arbitrary Frobenius groups when \H\ = \K\ — 1, that is, sharply 2-transitive groups. 
Therefore, for such groups it not only follows that small //-bases fail to exist but it also follows 
that even the quantum query complexity of the HSSP is J7(|Gp^). Also, the only strong base in 
a sharply 2-transitive group is the whole K. 

4.2 AfRne groups 

As any affine group, the general affine group Aff g = Fg x F* defined in Section 13.11 is a Frobenius 
group. Its kernel is ¥q. In the terminology of Frobenius groups, we have proved in Proposition [1] 
that for Affg the HSSP for the complements is difficult. Let H he a proper subgroup of F* which is 
not the trivial group. We define the group ASq{H) as ¥q xi H. With the restriction of the natural 
action, denoted here by o, ASq(H) is also a Frobenius group. In contrast to the difficulty in the 
full affine group, we obtain the following positive results for the smaller Frobenius groups. They 
are consequences of the analogous results for the related HSP stated in Facts [1] and [21 via the 
reduction of Theorem [TJ Statements (a) and (b) are not new, they are proved in a slightly different 
formulation in [20], using implicitly the randomized construction for a strong base. For (c) note 
that the derived subgroup in ASq(H) is indeed commutative. 

Corollary 1. Let q be a prime power and let H <¥* such that 1 < \H\ < q — 1. The following 
results hold for HSSP(Affq(i/),Fg, o, J-C).- 

(a) It has polynomial query complexity. 

(b) It can be solved in quantum polynomial time when q is prime and \H\ = i7(g/polylog(g')). 

(c) It can be solved in quantum polynomial time when q is the power of a fixed prime. 

The case of Affq({ibl}), when q is an odd prime power is particularly interesting. It turns out 
that the HSSP over Affq({ibl}) for the Frobenius complements is essentially the same problem as 
the HQPP over Fg. 

Proposition 4. The following problems are polynomially equivalent: 

1. HQPP(Fg) 
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2. HSSP(Affg({±l}),Fq,o,7^C) 

3. HSP(Affg({±l}),^C) 

Proof. The first two problems are equivalent as we claim that every / : F^ — ?■ S", as oracle input for 
HQPP(Fq) hides the polynomial Vu if and only if as oracle input for HSSP(Affg({ibl}), Fg, o, J^C) 
it hides the Frobenius complement H^- To see this, observe that the level sets of Vu are of the form 
{x + u, —X + n}, which are exactly the orbits of H^- Therefore, we have the following equivalences: 

/ hides pu <^=^ TTj = {{x + u, —x + u} : x G ¥g} 

■^^ f hides Hu by symmetries 

The reduction from the second problem to the third one is provided by Theorem [TJ Note that 
we can construct a base deterministically by choosing two different elements of order two. For a 
reduction in the reverse direction, consider a function / on Affg({ibl}) which hides the subgroup 
Hu = {(0, 1), {2u, —I)}- Then all the collisions taken by / on elements of Affg({ibl}) are f{2u — 
b, -1) = f{b, 1) for b E ¥q. We define a new function /° on F, as f°{b) = min (/(6, 1), /(6, -1)). 
Examining the possible collisions gives that for 6 ^ 6' S Fg we have f°{b) = f°{b') if and only if 
b' = 2u-b={2u,-l)ob. a 

Together with Corollary [1] (c) the statements of this proposition imply the following result. 
Theorem 2. HQPP(Fg) is solvable in quantum polynomial time over constant characteristic fields. 

We observe that in contrast to the constant characteristic case, the HQPP appears to be difficult 
over prime fields Fp, as it is equivalent to the HSP in the dihedral group D2p = Affp({±l}). 

Note that in [8] van Dam, Hallgren and Ip gave a polynomial time solution to a problem 
which can be considered as a version of HSSP(Affq(//),Fg, o, J^C) where the function hiding the 
complement is promised to be a shifted multiplicative character x : F* ^ C*. This strong promise 
(in our oracle model we can only check for equality of the output values) makes the problem 
efficiently solvable even in the case H = {±1} where the HSSP with general hiding function 
appears to be difficult. 

We also remark that strong bases in the Frobenius group ASq{H) with \H\ = {q — l)/2 play 
an important role (under the name factoring sets) in certain algorithms for factoring univariate 
polynomials over Fg, see [7j. This is because a set B which separates two (unknown) field elements 
u and V can be used to find a proper decomposition of a polynomial having both u and v as roots. 
In fact, an efficient deterministic construction of strong bases for such affine groups over prime 
fields would imply an efficient deterministic algorithm for factoring polynomials over finite fields. 

4.3 Multivariate quadratic hidden polynomials 

In this part, we reduce the HPP for multivariate polynomials of degree at most two to the univariate 
HQPP. As already noted, adding a constant term does not change the level sets, therefore we 
consider polynomials with zero constant term. Thus, we assume that the hidden polynomial is of 
the form 

V{xi,...,Xn) = ^ aijXiXj+ ^ bkXk- (1) 

l<i<j<n l<A;<n 

Also, as the partition vr-p remains the same when we multiply all coefficients with the same non-zero 
element from Fg, we consider that the HPP has been solved if we determine the ratios between all 
the pairs of the n{n + l)/2 coefficients Ojj and bk- 
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Proposition 5. The problem HPP(Fg,n,2) can be reduced on a quantum computer to 0{n?) 
instances o/HQPP(Fg) in time {n + log q)^"^' . 

Proof. In order to simplify the following discussions we define aji to be aij for j > i. Additionally, 
if q = 2 then we also assume an = because x^ = x holds over F2. We assume that we have a 
procedure 7?. for determing the coefficients of a univariate quadratic polynomial up to a common 
factor. Its oracle input is a function on F^ that has the same level set structure as a polynomial of 
the form ax^ + bx. We assume that TZ decides whether a is zero and if a 7^ then 7^ returns the 
quotient b/a. 

We start with the case n = 2. We have an oracle with the same level sets as the polynomial 

P(xi, X2) = aiixj + 022^2 + ai2XiX2 + 61X1 + b2X2 ■ 

We use the oracle with the inputs (xi,X2) := (x,0). This way, we obtain an instance of HQPP 
for the univariate polynomial anx^ + bix. We use TZ to decide whether an is zero or not and if 
On / then we compute the quotient bi/an. Furthermore, we set (xi,X2) := (x, 1) for the inputs 
of the oracle to compute (ai2 + ^i)/aii in the second step. From this result we can easily compute 
the quotient 012/011. Similarly, using the substitutions (xi,X2) := (0, x) and (xi,X2) := (l,x) we 
decide whether 022 is zero or not. If 022 / then we obtain the quotients 012/022 and 62/022- We 
now consider the following different cases. 

• On, 022 7^ 0: If 012 7^ then we have determined all coefficients of "P up to a common factor. 
If 012 = then we use the inputs (xi, X2) := (x, x) and we obtain HQPP for (on + 022)2^^ + 
(61 + 62)x. With 7^ we can determine whether an + 022 is zero or not. If it is non-zero then 
we find an element r G Fg such that 61 + 62 = ^(aii +022)- When we write bi/au = Ci then the 
equation (r — ci)aii = (c2 — r)a22 follows. Since an / 0, we can compute easily all coefficients 
of 7^ up to a common factor. If on + 022 = then we also can compute all coefficients easily. 
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On 7^ 0, 022 = 0: If 012 = then we use the inputs (xi, X2) := (x, x) and we obtain HQPP for 
the polynomial onx^ + (61 + 62)x. With IZ we can determine the quotient (61 + 62)/oii and 
together with the already known value 61/aii we obtain the missing 62/011. If 012 7^ then 
we pick a G Fg \ {0} such that 1 + 0012/011 7^ and we use the inputs (xi,X2) := (x,ax). 
We obtain HQPP for (on + aai2)x^ + (61 + ab2)x, which can be used to find r G Fg such 
that (61 + 062) = r{aii + 0012). This gives us the missing fraction 62/011. The case 022 7^ 
and On = can be treated in a similar way. 

On = 022 = 0, g 7^ 2: We use the inputs (xi,X2) := (x,x) and obtain HQPP for the 
polynomial oi2X^ + (61 + 62)x that can be used to decide whether 012 = or not. If it is 
non-zero then we compute (61 + 62)/ai2. Furthermore, we can choose a G F^ ,a 7^ 1, and 
we use the inputs (xi,X2) := (x,ax) to compute the fraction (61 + a62)/(aai2). From these 
two fractions we can determine 61/012 and 62/012. If 012 = then we have the polynomial 
61X1 + 62X2 and we can determine the ratio between 61 and 62 by the algorithm for the abelian 
HSP over the additive group of F^. Note that we use a quantum computer for an efficient 
implementation of this step of the reduction. 

0-11, 022 = 0, g = 2: We use the inputs (xi, X2) := (x, 0) and we obtain HPP for the polynomial 
61X. We can easily test whether it is constant, i.e. 61 = 0, or not. The coefficient 62 can be 
computed in a similar way. The input (xi,X2) := (x, 1) give us 012 + 61. 
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This shows that we can find all coefficients of a bivariate polynomial up to a common factor 
when we use TZ only a constant number of times and some additional operations, which can be 
performed efficiently on a quantum computer. 

Next we consider the case n = 3. Substituting zero in X3, we can use the algorithm for the 
bivariate case to test whether an = 0. If an 7^ we can determine the quotient of the remaining 
coefficients (except for a23) and an by substituting zero in X2 or x^ and using the algorithm for 
the bivariate case. For a23 we can substitute {xi,X2-,x^) = {x,y,y) and obtain the polynomial 

anx^ + (ai2 + ai3)xy + (a22 + ^23 + 033)?/^ + hx + (62 + h)y ■ 

Then the algorithm for the bivariate case gives us (a22 + 023 + 033)/oii from which we can compute 
023/^11 • The cases where any of the coefficients 61, a22, ^2) 0,33, or 63 is non-zero can be treated in a 
similar way. It remains to handle the case of a polynomial of the form ai2XiX2 + 013X1X3 + a23X2X3. 
Then substituting 1 in X3 gives the polynomial 012X1X2 + 013X1 + 023X2 and the ratio between the 
three coefficients can be found by the bivariate algorithm. 

The case n = 4 can be handled as follows. We apply the algorithm of the preceding paragraph 
to the four polynomials obtained by substituting zero in xi, X2, X3, and X4, respectively. Observe 
that these steps determine the ratio between pairs of coefficients that have indices that fit in a 
three-element subset of {1, 2, 3, 4}. By transitivity, we are done unless our polynomial is of the form 
012X1X2+034X3X4, 013X1X3+024X2X4, or 014X1X4+023X2X3. If it is of the form 012X1X2+034X3X4 then 
we can determine the ratio between the coefficients by using the bivariate algorithm by substituting 
xi in X2 and X3 in X4. The two remaining polynomials can be treated in a similar way. 

Finally we consider the case n > 4. Using O(n^) applications of the bivariate algorithm, we find 
indices i ^ j such that at least one of an, hi or Ojj is non-zero. The ratio between this coefficient 
and any other can be computed using the algorithm for two, three, or four variables. The cost of 
these steps amounts to 0{ti?) applications of the procedure TZ and a polynomial number of other 
operations. D 

Theorem 3. HPP(Fg,n,2) can he solved hy a polynomial time quantum algorithm over fields of 
constant characteristic. 

5 Function graph groups and the HPGP 

For dealing with the HPGP we define a family of semidirect product groups that we call function 
graph groups. We show that each instance of the HPGP(Fq, 1, d) can be reduced to the HSP for 
an appropriate function graph group corresponding to univariate polynomials of degree at most d. 
These special function graph groups are semidirect products of groups of g-power order. Therefore, 
they cannot be Frobenius groups. 

5.1 The HPGP as HSSP over function graph groups 

It will be convenient to work in a more general setting. 

Definition 4. Let A and B be two abelian groups. The family of functions mapping ^ to i? forms 
an abelian group J-" with the addition defined as (Qi + Q2)ix) = Qi{x) + Q2{x). For every t £ A, 
the shift map at defined as {atQ){x) = Q{x — t) is an automorphism of this group. A function group 
from j4 to 5 is a subgroup K oi J- which is closed under the shift maps. We denote the restriction 
of at to K also with at- Then the map t i—)- ot is a homomorphism from A to the automorphism 
group of K. The function graph group ¥g{K) is defined as the semidirect product K yit^at ■^■ 

13 



The multiplication of Fg{K) is given by the rule 

{Ql,tl){Q2, t2) = (Qi + at,Q2,ti + t2). 

The shifting action o of Fg(i^) on A'x B is defined as 

(Q,t)o(x,y) = (x + t,y + Q(x + t)). 

For t ^ A and Q £ K, we set ag^t = (Q — atQ,t), the conjugate of the element (0, t) by (<5,0). 
Furthermore, let Aq = {ag^j : t G A} be the conjugate of the subgroup {(0,t) : t G A} hy (Q,0). 
Then every Aq is a subgroup of Fg(i^) that is complementary to the normal subgroup {((5,0) : 
Q G K}. We call them standard complements, and we denote by SC the family {Aq : Q G i^} of 
the standard complements. 

We are now ready to show a connection between function graph problems and the orbits of the 
standard complements in function graph groups. 

Proposition 6. Let Fg(i^) be a function graph group, let o be its shifting action on A x B, and 
let Aq be a standard complement. Then Aq is closed and the orbits of Aq are the level sets of the 
function f : {x,y) >-^ y — Q{x) on A x B. 

Proof. Assume that Aq is not closed. Then, as Aq is a complement of {{Q',0) : Q' G K}, there 
exists Q' G K\{0} such that {x,y+Q'{x)) = {Q',0)o[x,y) G AQo[x,y) for every pair {x,y) G AxB. 
This is a contradiction since aQ^t{x, y) = {x, y') is only possible if t = and y' = y. 

To see the second part of the statement, observe that f{x,y) = f{x',y') iff 3t G j4 : {x' ,y') = 
{x + t,y- Q{x) + Q{x + t)) iS3t£A: {x', y') = aQ^t ° {x, y) iff {x' , y') G Aq o (x, y). D 

We now specialize function graph groups to polynomials which relate them to the HPGP. Let 
A and B be the additive group of Fg and let K he¥q [x], the set of polynomials of degree at most 
d. Observe that we include also polynomials with non-zero constant terms in order to be closed 
under the shifts. Then Proposition [6] translates to the following statement. 

Proposition 7. Let f : ¥ qX¥ q ^>- S be a function. Then f /lides /or HPGP (Fg, 1, d) the polynomial 
Q if and only if for HSSP(Fg(Fg [x]),Fg x Fg,o,5C) it hides the standard complement Aq by 
symmetries. 

5.2 Small bases for standard complements 

In this section, we construct strong bases for the standard complements in function graph groups. 
The next lemma gives a simple characterization of such bases. 

Lemma 4. Let Fg{K) = K x A be a function graph group with action o on A x B. Let D = 
{{xi,yi), . . . ,{x£,yi)} be a subset of Ax B. Then D is an SC-strong base if and only if for all 
Q £ K, the equation Q{xi) = . . . = Q{xi) = implies Q = 0. 

Proof. As SC is closed under conjugation, by the remarks following Definition [3l Z? is an SC- 
strong base if and only if f]^^^ AQFg{K)(^^^y^^ = Aq for every Q G K. The statement {Q',t') G 
^QFg(iC)(2.. y.) is true if and only if there is a tj G A such that {Q',t') o {xi,yi) = aQ^t^ o {xi,yi) . 
This can be rewritten as (xj + t', yi + Q'{xi + t')) = (xj + ti,yi — Q{xi) + Q{xi + t-i)) . The equality 
holds if and only if tj = t' and {a^t'Q' ~ o,^t'Q + Q){xi) = 0. Hence, an element {Q',t') is in the 
intersection ni=i '^Q^s{K)(^x^^y.^ iff ij = t' and [a^t'Q' — d-t'Q + Q){xi) = holds for all i. 
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We first prove the "only if part of the lemma. To this end, let D be an Ag-strong base and 
let i? € C be a function such that R{xi) = for all i. Let 



(Q',t')Gn^QFg(i^)(-»* 



i=l 



be any element. Since D is a base we know that the intersection is equal to Aq and from this 
{Q',t') = {Q — at'Q,t') follows. We also know that {a^t'Q' — ci-t'Q + Q){xi) = for all i and the 
same is true for a^t'Q' + R — CL-t'Q + Q- Hence, we also have {Q' + af/R, t') in the intersection and 
{Q' + at'R,t') = {Q — at'Q,t') follows. We have {Q',t') = {Q' + at'R,t') and this directly implies 
at,R = R = 0. 

To see the "if part of the lemma, observe that the second statement of the lemma, applied to 
the function a^t'Q' — a^t'Q + Q, implies that a^t'Q' — a-t'Q + Q = 0- We apply the shift map af 
to this equality and we obtain Q' = Q — a^Q. Hence, we have (Q', t') = aq^t' £ Aq and this shows 
that D is an 5C-strong base. D 

Combining the statements of this section we obtain the following result. 

Theorem 4. HPGP(Fq, l,d) can he reduced to HSP(Fg(Fq [x]),SC) in polynomial time in d and 
\ogq. 

Proof. Univariate polynomials of degree d have at most d roots over a field. Therefore, by Proposi- 
tion[71 LemmaUland Lemma [H we can associate in polynomial time an instance of HPGP(Fg, 1, d) 

that hides a polynomial Q with symmetries to an instance of HSP(Fg(Fg [2;]),5C) that hides the 
subgroup Aq. Then the polynomial Q (up to a constant term) can be recovered from genera- 
tors for Aq as follows. The elements {Q — at-^Q, ti), . . . ,{Q — at^Q, ti) generate Aq if and only if 
ti, . . . ,t£ generate the additive group of ¥q. It follows that for arbitrary s € Fg, we can efficiently 
compute Q — OsQ using the group operation in Aq < Fg{¥q [x]). Substituting s into Q — UgQ 
gives Q{s) — (5(0). We do this for d different values s G F and compute Q — (5(0) using Lagrange 
interpolation. D 

We remark that the group Fg(Fq [x]) is of nilpotency class d + 1. However, we can actually 
give a reduction to the HSP in a group of class d. To this end, observe that the hidden subgroup 
is a conjugate of the complement ¥q. Therefore, it can be found in the subgroup generated by the 

commutator of Fg with ¥g [x] (this is an abelian normal subgroup) and the complement ¥q. This 
semidirect product group has nilpotency class d. 

Note that semidirect product groups Fg(Fg [x]) are metabelian and that their exponent is the 
characteristic of ¥q. Therefore, for fixed characteristic, we can apply Fact [2] (b) to obtain the 
following result. 

Corollary 2. Assume that q is a power of a fixed prime p. Then HPGP(Fg, 1, d) can be solved by 
a quantum, algorithm in time polynonfiial in d and logg. 

This corollary allows us to complete Fact H] (b), because it can be applied to fields of charac- 
teristic in the set E^ that were left open. Since E^ is finite it follows that for fixed d we can solve 
HPGP(Fg, 1, (i) in quantum polynomial time for all finite fields. Together with Fact U] (a) this 
improves the overall result of [9]: the HPGP(Fg,n, d) can be solved efficiently for all finite fields 
when n and d are constant. We further improve this result in the next section where we present a 
more powerful reduction of the multivariate problem to the univariate case. 
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We conclude this section by showing that the HSP for semidirect product groups of the form 
Z!^ X Zp can be reduced to a multidimensional analogue of the HPGP. This HSP is discussed in [3] 
and it is shown there that the HSP for all possible subgroups can be reduced to the HSP where the 
hidden subgroups are complements of Z™. Let H be such a subgroup. Following arguments of [3], 
we show that the cosets of H can be considered as level sets of a polynomial map from Z™^^ to Z™ 
of the form y — Q{x), where y = (yi, . . . ,ym) and Q{x) = {Qi{x), . . . ,Qm{x)), each Qi{x) being a 
univariate polynomial over Zp of degree at most d. Here d < ioam{in,p) depends on the structure 
of G (actually its nilpotency class). 

To this end, notice that the semidirect product structure is given by a linear transformation A on 
Z!J^. (This is the action of the generator 1 of Zp on Z!J^.) We have A^ = I, whence B = A — I satisfies 
BP = [A — I)P = AP — IP = 0. Therefore, there exists a smallest positive integer d < in.m{m,p) 
such that B'^ = 0. 

A subgroup Hy complementary to Z™ in Z™ x Zp consists of the powers of an element of the 
form (f, 1) for some v € Z"^. With the map 

these powers are the pairs {Qv{t),t), for t € Zp, and the right cosets of H^ are the sets of the pairs 
{Qv{t) + 2/,i), for t € Zp, where y € Z™. It turns out that the entries of the matrix of Yl,j=Q^'' ■> 
as functions in t, are polynomials of degree at most d with zero constant term (see [3j). Therefore, 
the same holds for the coordinates Qv of the vector Qv{t). In other words, the map t i-^ Qv{t) is 
a polynomial map from Zp to Z"^ of degree d with zero constant term. Hence, the cosets of Hy are 
exactly the level sets for the polynomial map 

(yi, . . . ,y^,x) ^ (yi - Q«(x), . . . ,y„ - Q^^K^)) (3) 

from Z™+1 to IJ^. 

It follows that any function on Z™ x Zp that hides the subgroup H^ = ((?;, 1)) directly defines an 
instance of the m-dimensional analogue of the HPGP for Q^ as defined in Eq. ([2]). If we solve the 
?Ti-dimensional HPGP for these instances, i.e., if we determine Q^, then we obtain v by calculating 
v = Q,{l). 

This shows that the HSP of "L^ x Zp can be indeed efficiently reduced to the ?7i-dimensional 

analogue of the HPGP. Plugging A = Zp, B = Z™ and K = (Zp [x])*" into Proposition [6l we 
obtain that this problem can be viewed as an instance of the HSSP over a semidirect product K 
with Zp. Here the functions are vectors of univariate polynomials. Therefore, by Lemma HI small 
bases exist and can be found easily and the reduction to a HSP works. Note, however, that the 
new group is in general much bigger than the original one. 

These reductions explain why it was possible to construct the algorithm of [9j in close analogy 
with the pretty good measurement framework of [3] for semidirect product groups. 

5.3 Reduction of multivariate HPGP to univariate case 

The scheme of |9j for reducing the multivariate HPGP to the univariate case can be improved with 
the help of a generalized Vandermonde matrix. 

Theorem 5. An instance o/HPGP(Fg, n, d) can be reduced to 0(^ ^") instances o/HPGP(Fg, 1, d) 
by a classical algorithm with running time polynomial in ( ) . Ifd is constant then HPGP(Fg, n, d) 
can be solved by a polynomial time quantum algorithm. 
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We prove the theorem in the remainder of the subsection. For this, we consider n-variate 
polynomials of the special form 

y - Q{xi,... ,Xn) with Q G Fg[xi, . . . ,x„] . (4) 

Note that we changed the notation by replacing the polynomials Q{xi) in Def. [I by polynomials 
Q{xi, . . . ,Xn) G ^q[xi, ■ ■ ■ ,Xn]- This makes the following discussion easier. Recall that the con- 
stant term of the polynomials Q{xi, . . . ,Xn) is assumed to be zero since it cannot be determined. 
Furthermore, the identity x'^ = x in ¥q implies that we can only distinguish polynomials that are 
reduced modulo xf — Xi for all variables Xj. Hence, for a maximum total degree d we only consider 
local degrees of at most minjd, g — 1}, i.e., the power of each Xi in all monomials occuring in 
Q{xi, . . . , Xn) is less or equal to this minimum. 
For each j with 1 < j < n let 

X^-) := i a G N^' : ^ a^ < d, a^ < minjd, q - 1} for i = 1, . . . ,j\ \ {(0, . . . , 0)} 

be the set of all exponent vectors for the monomials of total degree at most d when the variables 
are restricted to xi, . . . ,Xj. For each a G I^^' let 

rrio, := x-^ • • • x ■ 

denote the corresponding monomial. For j and j' with 1 < j < j' < k, a. monomial rria with 
a = (ai,...,aj) G X^^> is also defined by a = (ai, . . . ,aj,0, . . . ,0) G X^^'. Finally, for v = 
{vi,...,Vj) gF^ let 

ma(v) := v^- . . . ■ Vj' 

denote the evaluation of the monomial rria at the point v. For q > i, the number of such monomials 
is given by the simple expression 

For q < i, the number of such monomials is determined with the inclusion-exclusion principle, 
which leads to the expression 

i^"'i=|:(-i)*(orr')-^' 

We use the convention that the binomial coefficient is zero if the number at the top is negative. 
With the help of Z"^ we can define the generalized Vandermonde matrix and describe an efficient 
construction. 

Lemma 5. Let d be the maximum total degree of the monom,ials in T"-* over the field ¥q. Then 
there is a classical algorithm for constructing a set V"' C Fg of cardinality \T^^'\ such that the 
square matrix 



M(^') : = 



ma[v) 



(5) 



has full rank. This matrix is called the generalized Vandermonde matrix. The running time of the 
algorithm is polynomial in \I^^' \ . 
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Proof. This statement is proved in [25]. For the sake of completeness we present here another 
proof which is also much simpler than the original one. The condition that M"^ has full rank is 
equivalent to the following condition: for every (non-zero) polynomial 



r \Xi, . . . , Xj 



y^ CalTlc 



(6) 



there is at least one v G V"' such that F{v) ^ 0. 

Let b := m.m{d,q — 1} denote the upper bound on the local degrees. For j = 1, we have 
Z(^) = {(1), . . . , (6)} and the corresponding set of monomials is {xi,x^, . . . ,x\}. We can choose 
V*^^-* := {f 1, f2, • • • , Vb} to be a set containing b different non-zero elements of Fg. Then the matrix 



fvl 



m(i) 



Vo Vo 



\vl 



1 „,2 
2 

2 



i \ 



< J 



has the full rank jZ^^' | = b. Observe that we obtain a (square) Vandermonde matrix by multiplying 



M(^) with diag(W]"^ 



; ^^2 ' 



' ""b 



) from the left. We choose vi to be equal to 1. 



Assume that we have already determined a suitable V" ^' for some j > 2. We show how to 
obtain V^-'^ using V'--'^"'^^. 



1. 


Set V(^)^ {(!,..., 1)}CF^, 




2. 


Set 


ma{v) 


3. 


REPEAT 




4. 


Determine a (non-trivial) vector c = 


(Ca) G 1 


5. 


Set 





vevO),aei(j) 



(7) 



,|xO)| 



in the kernel of L^^' 



G{xi,...,Xj) ^ ^ Canic 

aGjO) 



6. Determine a vector u (z¥q such that G{u) ^ 

7. Set V(J) ^ V^-'') U {u} 

8. Add the row vector {fna{u)) j-^j) at the bottom of L^^' 

9. UNTIL the rank of L") is maximal 



We now explain how the different steps can be implemented efficiently and why the algorithm 
produces a valid V*--'-'. 

We can compute a non-trivial vector c in the kernel of L"-* in step 4 with Gaussian elimination. 
To find a u with G{u) ^ in step 5, we write G in the form 



G(xi, 



^i^,(xi, . . . ,Xj-l) ■ X] G Fq[xi, . . . ,Xj_l][Xj 



i=l 
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At least one of the polynomials Fi is non-zero because G is non-zero. Set F to be the non-zero Fi 
with the smallest i. We can write F as 

F{xi,...,Xj-i) = ^ di3mi3 £¥g[xi,...,Xj^i] 
/3ei{j-i) 

with appropriate coefficients d^ G ¥q. There exists a vector v = {vi, . . . ,Vj-i) G V^-'^^-' with 
F{v) 7^ 0. This is because otherwise we would have a non-trivial linear dependency of the rows of 
^u'-i) corresponding to the elements in V""^-*. Hence, the polynomial P{x) := G{vi, . . . ,Vj-i,x) 
is a non-zero univariate polynomial that can be written as a linear combination of monomials m^ 
with 7 E I^^K The element w G¥q with P{w) ^ can be found among the elements of V'^^ We 
obtain the desired vector u by setting it equal to {vi, . . . , Vj-i,w). 

By adding the new row vector to L^^' in step 8 we achieve that the vector c is no longer in the 
kernel of the new augmented matrix. Hence, we reduced the dimension of the kernel of the linear 
map defined by this matrix. In other words, we have increased its rank by exactly 1. This shows 
that the algorithm terminates. D 

We are now ready to describe the improved reduction. 

Lemma 6. Let V^"^' be as in LemmalM Then the coefficients of the hidden polynomial of Eq. Q) 
can be determined by solving the univariate HPGP for the polynomials Q{vix,V2X, . . . ,Vnx) for all 
V G V("). 

Proof. The unknown polynomials can be expressed as 

d 

Q{xi,...,Xn) = y^^Qe{xi,...,Xn), 
e=i 

where Qi denotes the homogeneous part of total degree i. 

For each v = {vi, . . . , w„) G F" the substitution Xi i— )• ViX in the hidden multivariate polynomial 
Q leads to the univariate polynomial 



Py{x) := Q{vix,...,Vnx) = y^^Qi{v):} 



1=1 

We determine the coefficients Qe{v) of Pv{x) by using the quantum algorithm for the univariate 
case. Let z = [qa\'^pj(n) be the column vector whose entries are the unknown coefficients we seek 
to learn. Let y = [Qi{v) + . . . + (5d(^)],;GV(") ^^ ^^^ column vector whose entries are the sum of 
evaluations of the homogeneous part Qi at the points v € V^"'^ We have M^"-' z = y. Hence, we 
can recover y since the generalized Vandermonde matrix M^"^' has full rank. D 

Theorem [5] follows directly from Lemma [6j Note that in the course of the above reduction, we 
learn d\I^"''\log2{q) bits by solving \I^"''\ instances of the univariate case (each instance yielding 
exactly d coefficients in F^). The absolute lower bound is given by \I^^'\ log2(g), which corresponds 
to the number of bits necessary to specify all coefficients of the hidden polynomial Q. This discussion 
shows that our method is optimal up to the factor d. 

Theorem [5] also gives an instance of the HSSP which is solvable in quantum polynomial time, 
although no small strong bases exist (and therefore the reduction scheme of Section [3] does not 
work directly). Let A and B be the additive group of F^ and ¥g, respectively, and and let K be 

¥q [xi, . . . , Xji], the set of polynomials in n variables of total degree at most d. Then Proposition [6] 
translates to the following statement. 
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Proposition 8. Let f : F"xFq —?■ S be a function. Then f hides for HP GP{¥q, n, d) the polynomial 
Q if and only if for HSSP(Fg(Fq [xi, . . . ,Xn]),F" x Fg,o,5C) it hides the standard complement 
■^Q by symmetries. 

Therefore, by Theorem El for constant d, HSSP(Fg(F5'^^[xi, . . . ,Xn]),F^ x ¥q,o,SC) can be 
solved in quantum polynomial time. On the other hand, as multivariate polynomials have many 
zeros, there are no bases of polynomial size for the action o for n > 2, see Lemma [H 
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